topic Re: Help creating regex extraction in Splunk Search

Help creating regex extraction

neerajs_81 — Thu, 24 Mar 2022 04:36:29 GMT

Gentlemen,
We are ingesting Windows SYSmon logs via TA-microsoft-sysmon , and the raw events are showing in XML format. There are couple of fields that did not get extracted and even with IFX, the accuracy of extracting these 2 fields isn't working 100%.
Below is one of the XML tags / elements from my raw event. Can someone pls assist me with regex for extracting techqniue_id and technique_name ?? As you can see, these 2 are embedded within the "RuleName" tag.

<Data Name='RuleName'>technique_id=T1055.001,technique_name=Dynamic-link Library</Data>

I have tried on regex101.com but can't get my capture group to extract these 2 values. At the end of the day, i want 2 fields techqniue_id ( with a value=T1055.001) and technique_name ( value = Dynamic-link Library) to show up under "Interesting fields" .

Thank you in advance

Re: Help creating regex extraction

ITWhisperer — Thu, 24 Mar 2022 06:05:46 GMT

Does this help?

Data Name='RuleName'>technique_id=(?<technique_id>[^,]+),technique_name=(?<technique_name>[^<]+)<

https://regex101.com/r/v0bIol/1

Re: Help creating regex extraction

neerajs_81 — Thu, 24 Mar 2022 06:44:28 GMT

Thank you so much. That did the job for 90% of the events. However i just noticed there are some raw events as below wherein the "RuleName" is empty

<Data Name='RuleName'>-</Data> <Data Name='EventType'>SetValue</Data> <Data Name='UtcTime'>2022-03-24 06:12:51.184</Data>

In such cases, the regex yours as well as the one generated by IFX ends up extracting technique_name ='UTCTime>2022-03-24 06:12:51<.

Any suggestions how to make it NOT extract or if the "RuleName" attribute is empty ? Basically in such cases, both technique_id and technique_name can be empty as well.

Re: Help creating regex extraction

ITWhisperer — Thu, 24 Mar 2022 06:47:31 GMT

If the element is empty, nothing is extracted

https://regex101.com/r/YBEmIM/1

Re: Help creating regex extraction

neerajs_81 — Thu, 24 Mar 2022 06:51:15 GMT

I am marking your post as the solution. However, i am sending you a private message with details that shows Splunk still extracting a different field i.e. UTC time despite the "RuleName" being empty. This doesn't make sense because regex101.com says otherwise.